9.

8 Release Notes

Release Date: 30 Aug 2022

Validated and successful update paths from 9.5.6, 9.6.6, and 9.7.3 to 9.8.0

Summary
These release notes provide information about new features, improvements, and resolved issues for FireMon's Security Intelligence Platform. This includes the four main SIP modules - Security Manager, Administration, Policy Planner, and
Policy Optimizer. As well as Risk Analyzer, FMOS updates, data collector and device changes, and resolved Support tickets. Any additional 9.8 releases (for example, 9.8.2) will be added to this document.

Highlights:

FMOS

Caution! At the time of the FMOS 9.8 release, AWS deployment install script procedures are still being tested. If you plan to deploy the FMOS 9.8 release to an AWS environment, we recommend waiting until FireMon has completed
testing. Updates to install readiness will be posted on the User Center.

Device Support
Improved ICMPv6 support across the majority of non-Tier-1 device packs.
Check Point: Updated the process for granular change made by a user for Check Point R8x.
F5 Networks: updated change detection and AFM usage Regexes to now allow for Central Syslog Server support.
Cisco FirePower: The following improvements have been made:
Updated object group normalized service names related to Inline services.
Automation update to resolve failures while attempting to modify a Network Group Object.
Fortinet: The following improvements have been made:
Normalization will include normalizing the interfaces as enabled and the DHCP IP address definition.
Normalize the IP 'scope' for defined FQDN objects.
Added the ability to correctly normalize and display Internet Service Objects along with the associated IP addresses.
Palo Alto Panorama: The following improvements have been made:
Extended the ability to make the Granular Change by User normalization mapping optional.
Added the ability to plan and implement change by inline IPs in Policy Planner instead of only supporting IPs tied back to defined network objects.

Reports
Scheduled reports sent by email to another recipient now requires that recipient be an active user in the system.
Custom Control Report has been updated to allow Management Stations to be selected as targets of the report.
Security Rules Report has been updated to group output data by Device.
 Rule Consolidation Report has been updated to improve the handling of Inline rules.

Improved the vulnerability scanner pack update process.

Added the functionality of configurable SAML assertion checks.
Added support for transparent firewalls with the addition of Network Tap Groups within the FireMon Objects menu.

Added functionality to display the inbound and outbound policy associated with an interface for Juniper MX and Cisco IOS / IOS-XR devices.
Improved scheduled objects to automatically define "AutoDocs" for rule documentation. This change will take the security rule scheduled object definition and auto-populate the stored rule expiration field.

Added the ability to set the device group used for auto design and rule recommendation on a per ticket or per requirement level.
Added the ability to import requirements from an existing ticket.
Enhanced integration between device APA and change plan rule recommendations.

No new Policy Optimizer features in this release.

Improvement Tickets:

Key Summary Module

DPE-1276 Splunk Integration Policy Planner

DPE-1480 [nftables] ICMPv6 Support

DPE-1481 [iptables] ICMPv6 Support

DPE-1538 Hide Device Credentials for Discovered Devices

DPE-1550 [Barracuda v8] Level-3 Usage Testing

DPE-1552 Barracuda Retrieval limit raw files at Child Device level

DEVICE-6290 Automation DTO Changes Device Support

DEVICE-6388 [Palo Alto] Inline IPs for Rules Device Support

DEVICE-6411 [Fortinet] IP Normalization for FQDN Objects Device Support

DEVICE-6293 [Check Point R80] Update granular changes by user Device Support

DEVICE-6084 Implement ICMPv6 Support for Cisco Device Support

DEVICE-6400 [Cisco FMC & FDM] Service Names Device Support

DEVICE-6393 [Cisco Firepower] Automation of Inline Groups Device Support

DEVICE-6426 Show which policy is applied to each interface Device Support

DEVICE-6439 [Palo Alto Firewall] Additional file with set notation for our regex controls Device Support

DEVICE-6453 [Fortigate Firewall] DHCP interface normalization Device Support

DEVICE-6383 [F5 Big-IP] Change detection central syslog regex Device Support

DEVICE-6447 [Fortinet] Destination objects causing normalization to display *Any objects Device Support

DEVICE-6325 [Juniper/JunOS] ICMPv6 support Device Support

FMOS-2100 Refactor `fmos.svc` module FMOS

FMOS-2101 Refactor `fmos.roles` module FMOS

FMOS-2340 Update individual FMOS Health checks to replace "required" with "recommended" FMOS

FMOS-2392 Create FIPS Build Artifact FMOS

FMOS-2472 fmos-img Jenkins job should not fail because of errors uploading rpms.json FMOS

FMOS-1910 CAT I - The x86 Ctrl-Alt-Delete Key Sequence Must Be Disabled On RHEL 8 FMOS

FMOS-1911 CAT I - The systemd Ctrl-Alt-Delete Burst Key Sequence in RHEL 8 Must Be Disabled FMOS

SIP-28673 Configurable SAML Assertion Setting Administration Center

SIP-28842 [Admin] Network Taps List Page - Edit Administration Center

SIP-28847 [Admin] Network Taps - Update Network Segments List Page Administration Center

SIP-26232 [Admin] Network Taps List Page Administration Center Network Modeling

SIP-28399 [Map] Support Transparent Firewalls - Detail Panels Administration Center Network Modeling

SIP-28387 [Map] Network Taps Create/ Edit Modal Administration Center Network Modeling

SIP-28301 [Map] Network Taps - Right Click Actions Administration Center Network Modeling

SIP-28389 [Map] Network Tap Groups - Keylines Combos Administration Center Network Modeling

SIP-28613 [Risk Scanner Plugin] 'Support file' Support Administration Center Security Manager

SIP-28509 [SIP] - Add NetworkTapGroup constraints Part II Network Modeling Security Intelligence
Platform

SIP-28737 Add form options for DG override to QA WF Policy Planner

SIP-28699 Show APA Results on Rule Rec UI Policy Planner

SIP-28741 Automation Request List Page Policy Planner

SIP-28744 Navigation for Automation Dashboard/List Pages Policy Planner

SIP-28742 Automation Changes Pages Policy Planner

SIP-28743 Automation Dashboard Policy Planner

SIP-25967 UI/Backend Validation on Service and Network Object Creations Policy Planner

SIP-28614 Allow De/Queueing of ORCH Changes Policy Planner

SIP-26383 [Risk Scanners] Change any reference from "plugin" to "pack" Risk Analyzer

SIP-28592 Add Enforcement Option "Manual Only" Security Intelligence Platform

SIP-28639 Rule Documentation - Populate Duration in Rule Documentation Security Intelligence Platform

SIP-28659 [Policy View] Interfaces Tab - New Filters Security Manager

SIP-28658 [Policy View] Display Policy Information for Interfaces Security Manager

SIP-29021 Policy View - Revert Changes Colors Back to Original Security Manager

SIP-27236 [URL Category] Policy View to Include URL Categories Security Manager

SIP-28591 [Transparent Firewalls] Update Device SIQL Security Manager

SIP-28754 [Admin] Setting to Support Transparent Firewalls Security Manager

SIP-28660 [Interface List Page] Display Policy Information for Interfaces Security Manager

SIP-28839 [a-team] APA Map Right Click Actions Not Working Security Manager

SIP-28986 [Transparent Firewalls] Update Device SIQL to support Transparent Mode Security Manager

56 issues

Resolved Issue Tickets:

Key Summary Module

SIP-28567 Green toast shows when zone imports fail Administration Center Security Manager

SIP-29255 DC- Log Monitoring Status is not reflected correctly on UI. Administration Center Security Manager

SIP-28636 Page titles need updating Administration Center

SIP-28278 Unhandled exception in userGroupTemplateId Administration Center

SIP-28902 [SUPPORT][9.7][On Change Report] Scope change causes report to kick off at unintended change events Administration Center

SIP-28856 "No Results Found" display on Device and Management Station Page Administration Center

SIP-28872 [FMPOC] Bulk update only updates a subset of the fields Administration Center

SIP-29019 Device retrieval doesn't work after fmos update until VM is rebooted Administration Center Security Manager

SIP-29256 DC- Retrieval status is not reflected correctly. Data Collector

SIP-28587 [Microsoft Azure Firewall] Policy Info Needed in Secmgr Normalization Device Support

SIP-24332 Implementation Status is wrong when a device can only commit Global Policy Controller Policy Planner

SIP-28102 [PCA] Errors when there are more than one rule changes in empty policy Network Modeling

SIP-28895 [SUPPORT][9.7] Removable Rules Report False positives Network Modeling

SIP-28937 [FMPOC] [Rule Recommendation] Incorrect reference rule for SRX Network Modeling

SIP-28901 [Upstream Filtering][9.7] Route mode doesn't support multi-path routes Network Modeling

SIP-28880 [SUPPORT] Rule recommendation does not build a rule with all existing objects Network Modeling

SIP-28819 routes used in APA are empty after deleting a network tap Network Modeling

SIP-28892 [9.7] Licensing Not Enforced on Network Rule Rec Network Modeling

SIP-28899 [SUPPORT][9.7] Attack From Here Results in Stack Trace Network Modeling

SIP-28468 [SUPPORT] Investigate PP performance Policy Planner

SIP-28671 API accepting invalid values in Requirement Source/Destination Policy Planner

SIP-28991 [SUPPORT] Catch SIQL syntax errors Policy Planner

SIP-28510 [Clone Server] Don't log auto design failure message in ticket history if auto design completed successfully Policy Planner

SIP-25871 Reset Filter doesn't Clear Filters on Assets or Vulnerabilites Page Risk Analyzer Security Manager

SIP-28898 [SUPPORT][9.7] Handle non-industry compliant GUIDs Risk Analyzer

SIP-28900 [SUPPORT][9.7] TenableIO imports failing with NPE Risk Analyzer

SIP-28905 [SUPPORT][9.7] Tenable import getting into an unexpected loop Risk Analyzer

SIP-28450 Clicking canvas removes highlight Security Intelligence Platform

SIP-27996 Network segment modal should not show devices with no interfaces Security Intelligence Platform

SIP-28785 Applications Group Permissions Issue Security Intelligence Platform

SIP-28662 [SUPPORT] Zone CSV Exports do not include Compliance Zones when run from Device and Device Group views Security Intelligence Platform

SIP-28362 [Map] Not allowing right click in Chrome Security Intelligence Platform

SIP-26231 Map does not auto refresh when an interface is removed from a network segment Security Intelligence Platform

SIP-29304 JMS/STOMP reply messages to SecMgr are failing due to missing type property Security Intelligence Platform

SIP-28364 [SUPPORT] Map not rendering correctly on VDI/RDP/Citrix based browsers Security Intelligence Platform

SIP-28897 [SUPPORT][9.7] Revisions getting stuck in "FINALIZING" status Security Intelligence Platform

SIP-28881 Reindexing failing after 9.7 RC2 update on large internal customer restore VM Security Intelligence Platform

SIP-28992 Map Display is Missing After Network APA Result Security Intelligence Platform

SIP-29051 [SUPPORT] Unable to modify SAML Authentication Server configuration Security Intelligence Platform

SIP-29034 [SUPPORT] Mixed case interface names resolving to the same uppercase version causes map generation to fail Security Intelligence Platform

SIP-28861 [FMPOC] Bulkimport of devices intermittently failing Security Intelligence Platform

SIP-29298 [FMPOC] "Continue session" logging out user out of UI Security Intelligence Platform

SIP-29301 [SUPPORT] NdFinish Failure Condition Security Intelligence Platform

SIP-28747 Cleared APA data should reset map Security Manager

SIP-28871 Applications List page sort order Security Manager

SIP-28876 Connectivity Count produces %%KEY NOT FOUND%% with more than 10 numbers Security Manager

SIP-28875 [SUPPORT] Controls show as failed, but SIQL returns results Security Manager

SIP-28873 [FMPOC] Removed NAT Rules not displaying in Policy View Security Manager

SIP-28853 [Changes By User Report] Errors when running Security Manager

SIP-29237 [SUPPORT] Device Health Report Error Handler Security Manager

SIP-28919 Empty notifications being sent to DC Security Manager

SIP-28577 [SUPPORT] [9.6] SIQL not seeing new values when bulk update clears fields Security Manager

SIP-28595 [Transparent Firewalls] Network Tap Group Layout Issue Security Manager

SIP-29033 Change report objects first column not aligned Security Manager

SIP-29071 Panorama not retrieving after 9.6.2 upgrade to 9.7.1 until reboot Security Manager

SIP-28929 [SUPPORT] NdFinish throws DateTimeException which keeps revisions in finalizing status Security Manager

SIP-28930 [SUPPORT] NdFinish throws ZoneRulesException. Revisions show as failed. Security Manager

SIP-28893 [9.7] No changes shown on enterprise change dashboard for user 'rwalz' after upgrade to 9.6.1 Security Manager

FMPOC-795 SIP WEB session timeout issue on FMOS v9.7.2 Administration Center

FMPOC-769 [FMPOC] A10 Device Normalization error Administration Center

FMPOC-784 [Meraki] normalization failed Data Collector

FMPOC-697 Sophos - Index out of bounds error Device Support

FMPOC-720 NSX-T not normalizing Device Support

FMPOC-724 Palo Alto Device Property Normalization Issue Device Support

FMPOC-728 Fortimanager normalization error Device Support

FMPOC-729 Meraki network objects normalisation fails Device Support

FMPOC-743 F5 retrieval issue - timeout? Device Support

FMPOC-749 Customer cannot not retrieve config from 3 Checkpoint CMAs Device Support

FMPOC-783 Fortigate rules with external connectors normalizing as ANY, causing removable false positives Device Support

FMPOC-813 Service objects not seen in PP for Check Point FW (FMOS v9.7.2) Device Support

FMPOC-815 [9.7] Check Point CMA Discovered Devices - No policies available for selection (v9.7.69 device pack) Device Support

FMPOC-807 DB backup does not run properly after updating to FMOS v9.7.2 FMOS

FMPOC-727 Juniper SRX device never completes normalization, earlier FMOS versions work fine Network Modeling
FMPOC-755 [FMPOC] Juniper SRX - Rule Rec issue Network Modeling

FMPOC-804 Unable to select Any as source/destination in Policy Planner Policy Planner

FMPOC-797 Check Point CMA R80 Retrieval error Security Intelligence Platform

FMPOC-752 Change comparison and change report not showing when there is a NAT rule deleted Security Manager

FMPOC-810 Fortigate firewall default routing is not visible on FMOS v9.7.2. Security Manager

FMPOC-765 [FMPOC] CheckPoint firewall - service object normalization issue(Korean language-Hangle) Security Manager

FMPOC-747 Bulk Update does not change several items around Retrieval and Monitoring

FMPOC-781 [Cisco Meraki] retrieval failed

FMPOC-711 Palo Alto Device Pack 9.6.62

FMPOC-739 [Cisco Meraki] retrieval of +1000 devices

RT-431 [9.6.3 build 379] Check Point R80 CMA is not getting normalized with specific set of offline configuration files, with same files it gets normalized on 9.6.2 GA build Administration Center

RT-425 [Controls] "Allowed Services" lookup field is not getting displayed in "Allowed Services Control Properties" section while editing the "Allowed Services" control. Administration Center

RT-430 [Health Check] Results is showing empty. Administration Center

RT-474 [9.8.0 build 177] Check Point R80 CMA is not getting normalized with specific set of offline configuration files, with same files it gets normalized on 9.8.0 RC1 build Administration Center

RT-476 [9.6.5 build 500] Juniper SRX device provides "Retrieval Error" after offline config file import for a specific test scenario, same scenario works fine on 9.6.5 build 498 Administration Center

RT-460 9.7.2 - Build 271 - CLI commands are not getting generated Policy Planner

RT-459 [9.7.2 Build 271] Policy Planner -> Automation status remains "Running" at Implement stage while pushing Security Rules and Objects on devices. Policy Planner

RT-428 [Logged Connections] Security Rules Page is not getting displayed when clicked on Hit count under Policy dashboard > Logged Connections Security Manager

RT-456 9.6.3 RC1 Build 429: SMW->Risk Analyzer-> Assets and Vulnerabilities - Earlier selected filters are getting applied when new filters are applied. Security Manager

FMOS-1905 `ValueError` exception in fmos.health.checks.ntp.NTPClientCheck FMOS

FMOS-1813 Health check failed message after finishing FMOS Setup UI in AWS FMOS

FMOS-1821 DB, ES roles not removed when database instance is shut down FMOS

FMOS-2133 TEST FAILURE: azure release/9.5 240 (FMOS 9.5): Timed out running health checks FMOS

FMOS-2731 SystemInfoService.get_system_state blocks event loop FMOS

FMOS-2848 [SUPPORT] Backup issue on Multi DB environment FMOS

FMOS-2818 First boot sometimes hangs starting systemd-firstboot FMOS

DEVICE-6316 [SUPPORT] [Amazon AWS] Retrievals don't get expected data Device Support

DEVICE-6537 [AWS] ACL Normalization of ANY in inbound/Dest and the outbound/Src rules Device Support

DEVICE-6485 [Amazon AWS] Assets Tab Adjustment Device Support

DEVICE-6542 [FMPOC] Missing Policy routes when no ACL are applied to interfaces. Device Support

DEVICE-6419 [SUPPORT] [F5 - BigIP] Automation fails when trying to create network objects Device Support

DEVICE-6489 [Palo Alto Panorama] Rule Modify Automation Issue when Rule Name Changed Device Support
DEVICE-6498 [Palo Alto Firewall/VSYS] Change how Rule Modify Automation works when Rule Name is changed Device Support

DEVICE-6561 [Cisco IOS] Rule automation fails with NullPointerException Device Support

DEVICE-6475 [GCP] Device Management IP address Issue Device Support

DEVICE-6421 [Check Point R80 CMA] Don't call logout function if login function fails to retrieve a sessionid Device Support

DEVICE-6517 [FMPOC] [Check Point R80 CMA] Retrievals stuck in show-task loop Device Support

DEVICE-6521 [SUPPORT] [Check Point R80 CMA] Some child devices are not discovered Device Support

DEVICE-6538 [FMPOC][Check Point] Retry counter incrementing on failed task Device Support

DEVICE-6544 [FMPOC] [Check Point R80 CMA] Service normalized as any Device Support

DEVICE-6574 [SUPPORT] [Check Point R80] Rules with no policy-targets are not normalized Device Support

DEVICE-6747 [FMPOC] [Check Point R80] Set scope for Any network object Device Support

DEVICE-6765 [FMPOC] [Check Point R80] Current scope of service objects limits us to just user created objects in Policy Planner Device Support

DEVICE-6645 [SUPPORT] [Check Point R80 CMA] Normalization fails with NoSuchMethodError Device Support

DEVICE-6670 [FMPOC][Check Point R80 CMA] get_layer_rules failures Device Support

DEVICE-6725 [Check Point] Policy Route normalization incorrect Device Support

DEVICE-6739 [FMPOC] [Check Point R80 CMA] Retrieve routes for CMAs when domain is not set Device Support

DEVICE-6282 [Cisco FirePower] GPC Managed Section - Duplicate Rule Status Issue Device Support

DEVICE-6340 [SUPPORT] [Cisco ASA FWSM Context] Hit count retrievals fail with UnicodeDecodeError Device Support

DEVICE-6362 [SUPPORT] [Cisco IOS XR] Handle BGP routes with no network Device Support

DEVICE-6463 [Cisco ACI Tenant] Check For Change Additional Stuff to Ignore Device Support

DEVICE-6464 [FMPOC] [Cisco Meraki] Handle named groups and objects in security rules Device Support

DEVICE-6469 [SUPPORT] [Cisco IOS XR] Run bgp commands for each VRF Device Support

DEVICE-6503 [FMPOC] [Cisco Meraki] Handle paging for more than 1000 networks Device Support

DEVICE-6520 [SUPPORT] [Cisco IOS XR] Duplicate routes cause rule recommendation to give weird results Device Support

DEVICE-6552 [SUPPORT] [Cisco ISE] Normalization fails with NPE Device Support

DEVICE-6569 [SUPPORT] [Cisco FMC] Normalization Throws NPE filterAPPs Device Support

DEVICE-6575 [SUPPORT] [Cisco ASA] Normalization fails with ArrayIndexOutOfBoundsException Device Support

DEVICE-6611 [FMPOC] [Cisco Meraki] Retrieval fails with 'No connection adapters were found' error Device Support

DEVICE-6640 [FMPOC] [Cisco Meraki] Normalization fails with NPE Device Support

DEVICE-6528 [FMPOC][Juniper SRX] Revision stuck in "Finalizing" for more than 12 hours Device Support

DEVICE-6434 Scope is missing from some objects of Panorama and its managed devices Device Support Policy Planner Security
Manager

DEVICE-6360 [SUPPORT] [Palo Alto VSYS] Check for change retrievals fail with FileNotFoundError Device Support

DEVICE-6363 [SUPPORT] [Juniper QFX] Routes not retrieved when setting enabled Device Support
DEVICE-6375 [SUPPORT] [Fortinet VDOM] Retrievals fail with timeout error Device Support

DEVICE-6380 [SUPPORT] [Palo Alto] Handle URL Categories with '.' in the name Device Support

DEVICE-6342 [Panorama] VSYS FromServer retrievals can fail when Panorama has never successfully committed to child firewall Device Support

DEVICE-6417 [FMPOC] [Palo Alto] dosTcpSynEnable device property is not set to true Device Support

DEVICE-6430 [FMPOC] [VMware NSX-T] Normalization fails with NPE Device Support

DEVICE-6435 [SUPPORT] [Fortinet Fortigate VDOM/Firewall] Normalization fails with ArrayIndexOutOfBoundsException Device Support

DEVICE-6437 [FMPOC] [Palo Alto Firewall/VSYS] Device properties not set as expected Device Support

DEVICE-6438 [SUPPORT] [Fortinet Fortigate VDOM] Normalization fails with UnsupportedOperationException Device Support

DEVICE-6458 [SUPPORT] [Palo Alto Panorama] Set scope to 'Predefined' for service 'application-default' Device Support

DEVICE-6461 [FMPOC] [Fortinet FortiManager] Handle child devices with no IPs Device Support

DEVICE-6478 [SUPPORT] [Palo Alto Firewall/VSYS] Check global xpath for application objects Device Support

DEVICE-6486 [SUPPORT] [Fortinet FortiGate VDOM] Retrieval fails with timeout Device Support

DEVICE-6491 [SUPPORT] [Palo Alto VSYS/Firewall] Rule normalized without policyRules section Device Support

DEVICE-6492 [SUPPORT] [Palo Alto Panorama] Add setting to skip granular change log retrieval Device Support

DEVICE-6499 [SUPPORT] [Palo Alto Firewall] Research why NdUpload sometimes sends 5 NdPolicyDTOs Device Support

DEVICE-6516 [FMPOC] [F5 BigIP] Retrieval fails for extremely complex configurations Device Support

DEVICE-6518 [SUPPORT] [Palo Alto] Password logged in clear text when connection times out Device Support

DEVICE-6555 [SUPPORT] [Fortinet] Prevent problem records for aliased interfaces/zones Device Support

DEVICE-6762 [FMPOC] [Fortinet] Missing routes during normalization Device Support

DEVICE-6602 [SUPPORT] [Fortinet Firewall] [Fortinet FortiGate VDOM] Invert wildcard masks Device Support

DEVICE-6628 [FMPOC] [Fortinet firewall] [Fortinet FortiGate VDOM] Normalize external-resource objects with no definition Device Support

DEVICE-6500 [Cisco IOS/Cisco XR/Nexus] Automation of array type network objects fails Policy Planner

DPE-1288 [nftables] Normalization Issue

DPE-1474 [FMPOC] [Sophos XG] CLI retrieval fails when login disclaimer is present

DPE-1503 [SUPPORT] [nftables] Normalization fails with NPE

DPE-1563 [SUPPORT] [Zscaler ZIA] Normalization fails with NPE

DC-1827 Backoff When REST Connection Test Fails Data Collector

164 issues
Resolved Support Tickets: Support Ticket
Key Summary Number

SUPPORT-5206 Risk Analyzer map not loading 137347

SUPPORT-5291 Removable Rules Report Giving Unclear Information 133806

SUPPORT-5298 Customer is unable select the RA module using the device group that we set up. 138342

SUPPORT-5304 Normalization durations longer than expected, impacting daily change reports 137551

SUPPORT-5318 Topology map unclear or black screen 138813

SUPPORT-5336 Policy Planner Tickets Processing Extremely Slow 137795

SUPPORT-5343 Multiple change reports generated - Checkpoint R80 CMA 138417

SUPPORT-5375 Juniper QFX not retrieving routes 139110

SUPPORT-5379 ASA context 'utf-8' codec can't decode byte 139339

SUPPORT-5382 Fortigate VDOM retreivals failure in FMOS 9.6.1 139171

SUPPORT-5393 Unexpected RuleRec Cisco iOS-XR 139441

SUPPORT-5397 RA Tenable IO import Issue 139461

SUPPORT-5400 Bulk update Clear fields option not working 139471

SUPPORT-5403 Intermittent Normalization errors against revisions 139486

SUPPORT-5417 nftables normalization errors 138915

SUPPORT-5418 Rule Recommendation is Hanging 139624

SUPPORT-5423 Zone CSV Exports do not include Compliance Zones when run from Device and Device Group views 139650

SUPPORT-5424 Question around how Palo URL matching works 139671

SUPPORT-5432 F5 FW Unable to add cloned object to existing on-device object group 139574

SUPPORT-5443 Retrievals are failing Post Panorama upgrade to 10.1.4-h4 139910

SUPPORT-5449 Policy Optimizer Tickets Stating "Do not have permission to view this rule" 139950

SUPPORT-5451 Fortigate vdom normalization error 139984

SUPPORT-5452 PaloAlto Firewall giving false positive normalization warnings 13906

SUPPORT-5455 Security Manager - Unable to render topology map 140047

SUPPORT-5456 Fortinet VDOM not normalizing 140037

SUPPORT-5461 Expected iOS-XR devices not appearing in Rule Rec 140088

SUPPORT-5462 Application-Default Service Object in Policy Planner is not available for Panorama 140032

SUPPORT-5464 Policy Planner Automation - unnecessary subdivision of Subnets 140097

SUPPORT-5478 Rule Recommendation appears to be limiting to two objects or providing incorrect results 140413

SUPPORT-5479 Normalized Palo Alto firewall policy not showing application objects even though they exist on the policy 140422
SUPPORT-5482 APA map fails to load 140439

SUPPORT-5485 Fortigate VDOM device pack retrieval error after upgrade 140460

SUPPORT-5487 Higher than expected usage AS to DC 140483

SUPPORT-5494 Juniper SRX Devices Failing to Display Security Rules or Policies 139885

SUPPORT-5504 Tenable Data failing to import 140640

SUPPORT-5510 Issue When Running Custom Filters in Policy Planner 140690

SUPPORT-5513 Palo Alto any-any-drop control failing 140706

SUPPORT-5514 Panorama is failing on retrieval 1399921

SUPPORT-5515 Check Point CMA is not discovering all of its managed devices in SIP 139992

SUPPORT-5518 Panorama Async Timeout 140732

SUPPORT-5522 Palo Alto VSYS intermittent retrieval errors 140790

SUPPORT-5524 Check Point devices are not deleting 140028

SUPPORT-5533 Normalization errors on an AWS FortiGate 140632

SUPPORT-5543 Cisco ISE failing to Normalize 140992

SUPPORT-5545 SIP is not discovering a CMAs managed firewall devices 140948

SUPPORT-5554 SIP does not detect new firewalls added to CMA 141070

SUPPORT-5568 FMC has good check for change retrieval but is not normalizing. Child devices: FTD's are normalizing. 139706

SUPPORT-5571 SAML in 9.7.1 missing Service provider Metadata BOX - SAML not working after Upgrade from 9.6.2 141167

SUPPORT-5572 Zscaler management station is not normalizing. 139521

SUPPORT-5574 CMA is not discovering managed devices in FireMon 140931

SUPPORT-5577 After upgrade to 9.6.2, getting errors on GUI login - Backend Server Unavailable and I/O reactor status: stopped 141193

SUPPORT-5582 Check Point R80 FW Normalization not taking "Install-on" column into consideration, causing reduced number of rules to appear on gateways 141273

SUPPORT-5584 ASA config does not normalize 140811

SUPPORT-5594 Retrieval Errors with Fortigates 141339

SUPPORT-5606 Missing network segments 141532

SUPPORT-5626 Device health page shows alert even when everything is working 141550

SUPPORT-5637 Device health page shows alert even when everything is working 141632

SUPPORT-5642 Device Health Report Error 140350

SUPPORT-5645 Normalization failures post upgrade to 9.6.3 141838

59 issues
 v9.8.1

Release Date: 28 Sep 2022

Validated and successful update paths from 9.6.6, 9.7.3, 9.7.4, and 9.8.0 to 9.8.1

Improvement Tickets:

Key Summary Module

DEVICE-6778 [Check Point CMA R80] Implement option to push to gateway when committing to manager Device
Support

DEVICE-6648 [Check Point] Access Role - Normalization Device

Support

DEVICE-6677 ASA & Context- Modify DevPack to allow customer to define port used for Automation Device
Support

3 issues

Resolved Issue Tickets:

Key Summary Module

SIP-29219 [FMPOC] Can't add destination for route on synthetic router Administration Center

SIP-29433 [FMPOC] Unable to login with eval license Administration Center

SIP-29240 [a-team] 404 Error Finding Risk Icon Template Administration Center

SIP-29305 [Check Point] Behavior issue when all interfaces aren't in a zone Network Modeling

SIP-29540 [SUPPORT] Rule recommendation shows error for devices when using subnet Network Modeling

SIP-29210 Updating a network tap group deletes an IP address on the network segment Network Modeling

SIP-29196 network model not getting updated when a network tap group is created Network Modeling

SIP-29213 network tap group network segment is not deleted when network tap group deleted Network Modeling

SIP-29134 [SUPPORT] Policy Optimizer mismatched data causes review to show as 'The rule does not exist on the device' Policy Optimizer

SIP-29715 Policy Planner - Import from ticket- Import button is not working . Policy Planner

SIP-29201 Policy Planner - Import Requirements Import Behavior Modal when there are no requirements Policy Planner

SIP-29505 Pop-up indicating there are existing requirements even when there are no existing requirements Policy Planner

SIP-29779 Unable to save Rule Change - Step 3 Policy Planner

SIP-29493 PP application lookup uses name instead of displayName for searching/sorting Policy Planner

SIP-29561 [SUPPORT] Improve validation of IPv4 and IPv6 addresses Policy Planner

SIP-28877 [SUPPORT] PP not ignoring disabled workflow tickets when checking for conflicts Policy Planner

SIP-28928 [SUPPORT] Filter Save function does not allow for modification as expected Policy Planner

SIP-29703 [SUPPORT] Import Requirement Doesn't Work During Ticket Creation In Custom Workflow in FMOS v9.8 Policy Planner

SIP-29209 Policy Planner - Import Requirements Object is not Validating Month Formatting Security Intelligence Platform

SIP-29641 License Expired Allow Login Security Intelligence Platform

SIP-29135 [SUPPORT] Device Consistency Report shows changes that don't exist Security Intelligence Platform

SIP-29155 [Reports] Highlighting is missing Security Intelligence Platform

SIP-28896 [SUPPORT] [9.7][Rule Consolidation Report] Not Completing Security Intelligence Platform

SIP-29316 [SUPPORT] Compliance and assessment setting not being persisted Security Intelligence Platform

SIP-28413 [Rule Recommendation] Remove support for editing Panorama config when targeting a firewall or vsys device Security Manager

SIP-29107 [SUPPORT] Regex Multi-pattern controls give unexpected results Security Manager

SIP-29117 Security Rules report erroring Security Manager

FMPOC-814 Cant authenticate after uploading license Administration Center

FMPOC-790 CheckPoint CMA Normalization Issues on FMOS v9.7.2 Administration Center

FMPOC-785 Route not added on Synthetic Router Administration Center

FMPOC-811 Policy normalization failed for CheckPoint VSX on FMOS v9.7.2 Administration Center

FMPOC-778 APA is not considering the available route on Cisco Router Device Support

FMPOC-802 Meraki normalisation null-pointer exception Device Support

RT-396 [Auto Design] Fails when "any" is added in source, destination and service field for Fortinet VDOM offline device Network Modeling

RT-469 [9.8.0 Build 160 - Security Rules Report ] PDF/HTML Report generated for Custom Query are not getting highlighted in report Security Manager

DEVICE-6777 [AWS] Organization INFO Logging Authorization header Creds Device Support

DEVICE-6763 [SUPPORT] [Amazon AWS] Normalization failing with NPE Device Support

DEVICE-6774 [AWS] Intermittent Retrieval Error Device Support

DEVICE-6780 [AWS] PP Modify Issue Device Support

DEVICE-6730 [Juniper MSeries] Automation Clone v6 into v4 and other Assumptions Device Support

DEVICE-6769 [Juniper SRX] GPC 'null' Exception During Managed Section Creation Device Support Global Policy
Controller

DEVICE-6785 [Cisco IOS-XR] Do not generate partial commands on exception Device Support

DEVICE-6787 [Check Point MDS] Automate Service "any" with application as only application Device Support

DEVICE-6582 [Cisco IOS] Automation failure java.text.ParseException Device Support

DEVICE-6658 [Cisco IOS-XR] any6 not handled in automation Device Support

DEVICE-6661 [Cisco IOS-XR] handle host addresses in automation Device Support

DEVICE-6752 [Cisco ASA/ASA Context] Automation not handling inline network objects correctly Device Support

DEVICE-6669 [Cisco ASA] CLI generation fails if retrieval username is blank Device Support

DEVICE-6802 [Barracuda Control Center] UseAPI setting is backwards Device Support

DEVICE-6766 [FMPOC] [Check Point R80] Handle access-role defined with any user Device Support

DEVICE-6877 [SUPPORT] [Check Point R80] Host objects lose IP address with 9.7.74 device pack Device Support

DEVICE-6644 [FMPOC][Cisco IOS] APA matching wrong route Device Support

DEVICE-6727 [FMPOC] [Cisco Meraki] No security rules normalized due to IllegalStateException Device Support

DEVICE-6789 [Cisco Viptela] Normalization Fails With Exception Device Support

DEVICE-6660 [Cisco IOS-XR] ACL inline address normalization Device Support

DEVICE-6783 [Cisco ACI Tenant] Regex issue with Check for Change Device Support

DEVICE-6801 [CloudGenix] Retrieval Issue Device Support

DEVICE-6726 [SUPPORT] [Palo Alto] Handle circular dependencies during normalization Device Support

DEVICE-6675 [F5 BigIP] Rule-list ruleName not normalized consistent with non-rule-list-rules Device Support

DEVICE-6889 [SUPPORT] [Juniper SRX] Logical sub interfaces no longer normalized Device Support

60 issues

Resolved Support Tickets:

Key Summary Support Ticket

Number

SUPPORT-5347 Policy Planner showing ticket conflicts from disabled workflows 139095

SUPPORT-5372 Clean up reports are either failing or never completing on FTDs with 1000s of rules each 139258

SUPPORT-5512 Policy Planner Ticket Filter Save Function not working as expected 140694

SUPPORT-5517 Policy Optimizer Review Requests Stating "Do not have permission to view this rule" 140739

SUPPORT-5551 Multi Regex Patterns not returning expected results - Passing when nothing matches 131041

SUPPORT-5587 Device consistency report is not correctly processing Network Objects and Security Rules 141068

SUPPORT-5589 Policy Optimizer unable to find rules correctly 141369

SUPPORT-5615 Check Point CMA no longer normalizes after upgrade 141575

SUPPORT-5617 CP CMA R81.10 doesn't finish retrieval (never) 141632

SUPPORT-5627 Policy Planner tickets generating error when assigning during Implementation Stage 141690
 SUPPORT-5631 R80 CMA does not normalize after 9.6.3 upgrade 141650

SUPPORT-5644 Notify Only Upon Failure does not stay enabled 141797

SUPPORT-5657 Normalization are failing for Palo Alto Panorama after upgrading to 9.6.3 and Panorama 10.1.6 H3 141867

SUPPORT-5665 PP Input Validation issue for IPv6 addresses 141965

SUPPORT-5675 AWS Device is not properly returning data 141315

SUPPORT-5706 PP no recommendation with subnet 142443

SUPPORT-5710 license expiry warning stops logins NA

SUPPORT-5713 DCs Crashing Frequently With Out Of Memory Error 142464

SUPPORT-5730 Import Requirement Doesn't Work During Ticket Creation In Custom Workflow in FMOS v9.8 142658

SUPPORT-5752 Check Point device objects lose their IP information after retrieval with newer device pack 142991

SUPPORT-5757 9.8.0 SRX Not all interfaces (reth) being normalized. 143014

21 issues

v9.8.2

Release Date: 21 Oct 2022

Validated and successful update paths from 9.6.6, 9.7.4. 9.7.5, and 9.8.1 to 9.8.2

Improvement Tickets:

Key Summary Application

No issues found

Resolved Issue Tickets:

Key Summary Module

FMPOC-788 Rule Recommendation is not executed properly by Fortigate vdom firewall Device
Support

DEVICE-6674 [F5 BigIP] Automation that uses a rule-list that has multiple references will not modify all instances Device
Support
 DEVICE-6750 [Check Point R80 CMA] Retrieval fails when using Policy Package Name(s) to Ignore setting Device
Support

DEVICE-6894 [SUPPORT] [Check Point R80 CMA] Normalization fails with IllegalStateException Device
Support

DEVICE-6893 [SUPPORT] [Palo Alto] Zones not normalized on security rule Device
Support

DEVICE-6755 [FMPOC] Rule recommendation does not return results for interfaces names with spaces and/or special characters Device
Support

DC-1864 Snmpget Complains About msgMaxSize From SnmpAgent Data Collector

DC-1875 [SUPPORT] Device deduplication fails in some cases Data Collector

8 issues

Resolved Support Tickets:

Key Summary Support Ticket

Number

SUPPORT-5748 MSSP Customer Subdomain device retrievals are still failing after upgrade from 9.6.4 to 9.7.2 142490

SUPPORT-5795 DataCollector's Keep Crashing 143064

SUPPORT-5796 Backlog of revisions in "Finalizing" growing since upgrade to v9.7.3 143395

3 issues

Update FMOS

Note: Not all device changes are included with an updated release. For specific device issues, please contact support personnel to get the latest device pack for the vendor.

Caution! During the update process, all FireMon Security Intelligence Platform components will be stopped and connectivity will be terminated. Please consider updating your product during periods of low product use to minimize the
effects of this loss of connectivity.

Prerequisite: Before installing any updates, it’s advisable to verify that you have a successful backup. If not, creating a backup is advised.

Note: If you are updating from 9.6.x or 9.7.x, a new install with a previous backup restore is not needed. If you are updating from a release that is three (or more) behind current release, please contact [email protected].

For a distributed environment, there is a specific server order to install the update.

1. Database Server
2. Application Server

3.
 3. Data Collector

For a single-server environment, install the update on the application server first and then any data collectors.

Install the Update / New FMOS Release

Prerequisite: Shutdown your application server. At the prompt, type the following command: fmos maintenance begin

To update your FMOS server, complete the following steps.

1. Log on to the User Center.

2. Click Downloads.
3. In the SIP Software section, click the link to be directed to the download selection page.
4. In the Install Selection section, select your deployment type.
5. In the Distribution Selection section, select the distribution type based on how your ecosystem is deployed.
6. In the Select File section, verify that the install and distribution types are correct and then click Select File to be directed to the file download page.
7. Click Download.
8. For users not updating from 9.x or who have not set the update channel: For a single-server environment, copy the file to your application server. For a distributed environment, copy the file to your database server.

The ISO image file should be copied to /var/tmp and then use that path in the fmos update command.
9. Access the appropriate server (either application server or database server).
10. At the prompt, type the following command:

For existing 9.x users who have set the update channel: fmos update
For users not updating from 9.x: fmos update /var/tmp/<filename> (replacing <filename> with the name of the file you downloaded)
11. You will be guided through the update process.
12. You will be asked to reboot the server. Type Y at the prompt to start the reboot process.
13. For a single-server environment, repeat the steps to update any data collectors. For a distributed environment, repeat the steps to update the application server (if you have multiple applications servers, update each one-at-a-time
and reboot each individually) and then data collectors.

For new installs: After installing v9.8, refer to the FMOS User Guide topic Set the FMOS Update Channel.

For installing 9.8: After the data collector is up and running you must manually enter the data collector’s IP address in its properties page.

1. Log in to SIP and open the Administration module.

2. On the toolbar, click System > Data Collectors.
3. Click the data collector’s name to open its Edit page.
4. In the General Properties section, enter the IP Address of the data collector.
5. Click Save.

Update Notifications
The User Center has an RSS feed available for Security Intelligence Platform releases and documentation. If you would like to subscribe to this feed, you can find it on the Downloads page in the User Center.